With the proliferation of interconnected information systems and computers, security has become a major issue for companies. Cyber-attacks focused on gaining complete control over the systems, stealing sensitive business or personal information contained in them or disrupting operations though the exploitation of software vulnerabilities and misconfigurations are frequently hitting the headlines. As used herein, “cyber-risk” refers to a degree of vulnerability of a computer based system to unauthorized access to that system based on the vulnerabilities present in the system, and the probability of an attacker to exploit these vulnerabilities and misconfigurations. Cyber-risk may be used to indicate the degree to which companies may be exposed to cyber-attacks.
Measurement of cyber-risk on information systems and investment in cyber-insurance policies are topics of interest among government agencies and in the private sector. Despite the attention it has received there is still little public information about incidents involving cyber-risk.
Also, information technology (IT) security investment and cybercrime costs have been subjects of wide interest among researchers. Investment in cyber-risk is a key element of business practices in most industries and government agencies.
A central problem for organizations is the huge amount of security patches inside their ecosystems. From operating system (OS) level patches to application-specific patches, the practice of prioritizing and applying the fixes for security issues has been long debated. It has been recently suggested that prioritizing patches according to the Common Vulnerability Scoring System (CVSS—an industry standard scoring system for software vulnerabilities) of the vulnerabilities is an inefficient practice that is sometimes misleading in terms of the level of protection this prioritization gives to the organizations.
In the business arena, organizations have relied on business-critical applications to manage their most valuable assets and processes since the 1970s. The first 30 years of this kind of software were focused on building customizable products where organizations mapped their critical business processes. The biggest competitors for this type of platforms are SAP and Oracle.
During the first 30 years of existence of business-critical applications, the main security concern for administrators was directed to the correct assignment of permissions and roles, an activity that received the name of Segregation of Duties (SoD). A major reason for focusing on SoD activities was to prevent fraudulent activities inside the company (e.g., between employees) and to comply with the wide variety of regulations in different industries imposed by external regulation entities such as SOX, HIPAA and NERC among others.
In 2007 the first presentation demonstrating technical attacks on the internals of Business-Critical applications appeared. This opened the door for a new approach to security and exposed major threats for these giants managing the “crown jewels” of the biggest businesses of the world.
Despite an increasing interest in mitigating cyber-attacks, measuring risk and having a patching strategy sound with that risk measure is still largely an unsolved problem. Even for those organizations with clear cyber-insurance policies, modeling cyber-risk is a very difficult task.
Cyber-risk measurement is not merely an IT Security issue, having gravitated into the very core of businesses, and requiring novel and realistic approaches for real-life scenarios.
A vast variety of platforms, operating systems, applications, and configurations may be present in a given organization. Mixing this with the heterogeneous security practices followed by vendors and the diversity of patching policies makes it very difficult to properly develop a cyber-risk model that can help in the task of correctly measuring and mitigating risk.
In the article entitled “Modeling cyber-insurance: Towards a unifying framework. In 9th Annual Workshop on the Economics of Information Security,” (WEIS 2010, Harvard University, Cambridge, Mass., USA, Jun. 7-8, 2010), Rainer Bohme and Galina Schwartz pointed out that “the market for cyber-insurance failed to thrive and remained in a niche for unusual demands: coverage is tightly limited, and clients include SMBs [Small and Medium Businesses] in need for insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations.” Companies may be absorbing excess risk because the market of cyber-risk has not yet exploded. This produces an economical and financial impact which makes the problem of measuring cyber-risk a concern across the whole organization, rather than an exclusive concern of IT security teams.
This demonstrates two major needs: First, financial and non-IT teams need an understandable language to correctly manage cyber-risk. Second, IT Security teams still need a methodology that allows the prioritization of fixes transforming the measured cyber-risk into actionable milestones.
In view of the shortcomings discussed above, there is a need for systems and methods for automated cyber-risk calculation in business-critical applications that take a fresh approach and overcomes the drawbacks of the conventional techniques.